[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Jayalakshmi bhat
bhat.jayalakshmi at gmail.com
Fri Dec 4 11:31:23 UTC 2015
Hi Matt,
Thanks a lot for the response.
Is your application a client or a server? Are both ends using OpenSSL 1.0.2d?
If not, what is the other end using?
>>Our device has both TLS client,server apps. As client, device
communicates with radius server, LDAP server etc.As server device is
accessed using various web browsers.
Hence both the end will not be OpenSSL 1.0.2d.
How exactly are you doing that? Which specific cipher are you seeing fail?
>> We have provided user option to select TLS protocol versions similar to
the browsers. Depending upon the user configurations we set the protocol
flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL
context using SSL_CTX_clear_options/SSL_CTX_set_options.
>> We have provided user option to chose ciphers as well.
All these are in the application space,no changes have been done and they
have been working good with OpenSSL 1.0.1c. Only the library is upgraded to
OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers and with both
the ciphers issue is seen.
Are you able to provide a packet capture?
>> Please find the attached traces for server mode.
What O/S is this on?
>>This is built for WinCE and Vxworks
Regards
Jaya
On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <matt at openssl.org> wrote:
> Hello Jaya
>
> We're going to need some more information. There isn't a generic problem
> with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so
> there is something specific about your environment that is causing the
> issue. Comments inserted below.
>
> On 04/12/15 06:53, Jayalakshmi bhat wrote:
> > Hi All,
> >
> >
> >
> > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except
> > the below explained issue.
>
> Is your application a client or a server? Are both ends using OpenSSL
> 1.0.2d? If not, what is the other end using?
>
>
> > When we enable only TLS 1.0 protocol and select CBC ciphers,
>
> How exactly are you doing that? Which specific cipher are you seeing fail?
>
>
> > Now my question is whatever I did is it correct?
>
> That would not be a recommended solution
>
> > Or Do need to replace
> > complete s3_cbc.c with OpenSSL 1.0.1e?
>
> No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2.
>
> Some other questions:
>
> Are you able to provide a packet capture?
> How did you build OpenSSL...i.e. what "Configure" options did you use?
> What O/S is this on?
>
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/5954b2da/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.pcapng
Type: application/octet-stream
Size: 3692 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/5954b2da/attachment.obj>
More information about the openssl-users
mailing list